Difference between Penetration testing and Vulnerability Scan

In our previous tutorial we have learnt what is penetration testing or pen testing. Today we will learn what is the difference between penetration testing and Vulnerability scanning or assessment. Most users believe that penetration testing is just an vulnerability scan but its a myth as Vulnerability scan or assessment is just one step or part of Penetration testing i.e. we can say vulnerability scan is just an subset of Penetration testing. Vulnerability scan or vulnerability assessment is limited to scanning of known vulnerabilities and reports potential exposures of an web based or network based IT system.

Difference between Penetration testing and Vulnerability Scan

A vulnerability assessment is the process of running automated tools against defined systems to identify known vulnerabilities or flaws in the environment. Vulnerabilities typically include unpatched or mis-configured systems. The purpose of a vulnerability scan is to identify known vulnerabilities so they can be mitigated, normally through vendor supplied patches.

Penetration testing takes the vulnerability assessment to the next level. One of the initial phases performed by a penetration tester is to perform a vulnerability scan to do information gathering like get IP addresses, device type, operating systems, services running and vulnerabilities present on the systems, however unlike the vulnerability scan, the penetration tester does not stop there. The next phase of a penetration test is exploitation which takes advantage of the vulnerabilities identified in the system to escalate privileges to gain control of the network or to steal sensitive data from the system. The exploitation phase also uses automated tools which the penetration tester can configure to execute automate exploits against the systems. However, one key difference between penetration testers is their ability to also perform manual exploits of the system.

Although Vulnerability assessment and Penetration testing has different goals,but both should be performed to improve the overall security of the information system by a skilled information security professional.The penetration test should be performed at least annually and after significant changes in the information systems environment to identify exploitable vulnerabilities in the environment that may give a hacker unauthorized access to the system while the vulnerability assessment should be performed regularly to identify and mitigate known vulnerabilities on an ongoing basis.

I found difference list between Penetration testing and vulnerability scan by Berkeley Security quite interesting, so sharing that with all of you.

Vulnerability Scan

Penetration Test

How often to run

Continuously, especially after new equipment is loaded

Once a year

Reports

Comprehensive baseline of what vulnerabilities exist and changes from the last report

Short and to the point, identifies what data was actually compromised

Metrics

Lists known software vulnerabilities that may be exploited

Discovers unknown and exploitable exposures to normal business processes

Performed by

In house staff, increases expertise and knowledge of normal security profile

Independent outside service

Required in regulations

FFIEC; GLBA; PCI DSS

FFIEC; GLBA; PCI DSS

Expense

Low to moderate: about $1200 / yr + staff time

High: about $5,000 per year outside consultancy

Value

Detective control, used to detect when equipment is/could be compromised

Preventative control used to reduce exposure

That’s all about difference between penetration testing and vulnerability scan. So we can conclude that vulnerability scan is basically first phase of Penetration testing. Keep Learning and Keep Connected.